It is hard to keep up with all of the various computer security incidents occurring daily. One can’t help but wonder if more incidents are being reported and spreading through social media and internet news or if more incidents are taking place. It is likely both. The good news is, over the last couple of years, IT pros have been taking notice and beginning to take security seriously.
For this post, I want to discuss one category of computer security incidents – the data breach. Specifically, I want to talk about data breaches that involve unprotected data or weakly protected data. These type of breaches come in various flavors but generally fall into the following categories:
- Unencrypted data on stolen laptop. There are many examples of these incidents: Milford Schools data breach, Stanford also has been the victim of laptop thieves, and the laptops contained sensitive health information without encryption. These specific breaches are one of the easiest to protect against. In short, just encrypt laptop hard drives. That will thwart the vast majority of data leakages from these types of incidents. In the first link above, it is interesting to note that the article indicates that the laptop was “password protected”. Bypassing a password is a simple and automated process which often involves freeware utilities that can blank out the password or reset the password without having any knowledge of the existing password. Thus, using the logon password as the only protection is insufficient for most cases. In the second link above, the article notes that the laptop was stored in a “badge-access controlled area”. Bypassing physical security is very straight forward. Put on the appropriate attire (UPS Halloween costume, gas company uniform, tool belt, etc.) and smile as you walk wherever you need to walk.
- Unencrypted data on publicly accessible server. Sometimes, a data breach involves privacy more than mission critical data. In a well-publicized incident, hackers were able to extract ICC IDS and associated email addresses for early iPad 3G users directly from the AT&T web site. The data was not encrypted and was open to any anonymous internet user who knew a simple technique to obtain it. Unencrypted data on publicly accessible servers isn’t always about privacy. It can also involve sensitive or confidential data. In either case, the data should be stored by using encryption.
- Weakly protected passwords on internal or external computer. Data breaches involving encrypted passwords occur regularly. The good news is that many organizations use strong encryption, have strong password policies, and use salting to increase the security of storing encrypted passwords. Many times in such cases, the encrypted password are worthless. However, occasionally, we see incidents involving large organizations that do not use strong encryption or don’t use salting, such as the case with a recent Adobe incident. Weakly protected passwords aren’t just those without encryption or without salting. There have also been high profile cases of insufficient security in self-service password reset questions where information available on the internet can be used to answer questions and reset a password and social engineering where callers are able to social engineer a support person into resetting a password without proper account validation. It is still quite common to see default self-service password reset questions asking for your mother’s maiden name (available on genealogy sites), your city of birth (available online via birth records or with a few tries using public school records or www.classmates.com), or your pet’s name (available on social media).
How do you protect yourself from these incidents? Strangely enough, it often isn’t secret techniques or complex and expensive solutions. Instead, it is mostly common sense. Here are my top 5 tactics for avoiding these types of data breaches:
- Encrypt sensitive data. It doesn’t matter where the data resides: in your own data center, in your home, in the cloud. Sensitive data is sensitive data and it must be protected with encryption.
- Validate your IT security. Hire a penetration tester. Run a social engineering experiment to see how exploitable your employees are. Use logging, auditing, and monitoring products to alert you about security incidents.
- Store passwords with encryption and use salting, especially for internet-based systems. For internal systems, use strong password policies to avoid weak password hashes and susceptibility to password cracking programs.
- Lock down your smartphone. This one may seem like it is coming out of left field. But, the smartphone is often the quickest way to gain access to a multitude of services and data. If an attacker gains access to your smartphone then the attacker often gains access to your email. Often, access to your email is enough to kick off password resets across a variety of services. In addition, your smartphone can be used in social engineering attacks – send an SMS message to the IT guy, have corporate password reset and gain access to corporate data, reply to self-service password reset services that are tied to your smartphone, or collect information on social media friends for additional attacks.
- Patch your computing devices. This is one of the most common recommendations. But also, it is one of the least followed (at least timely and consistently). The easiest way to steal data is using a prepackaged exploit which are available for a nominal fee to any internet user. Even if your data is encrypted, if somebody gains administrative access to your systems, they can harvest credentials needed to decrypt the data before stealing it.